Fraud detection using augmented analytics

ABSTRACT

Systems and methods ingest extensive data regarding real-time transactions to determine correlation between a variety of parameters and possible fraud events. Possible fraud can be predicted, and notifications delivered to a fraud team. Correlations can be discovered using unsupervised machine learning, and particular systems and methods can utilize natural language processing to both receive and provide information concerning fraud risk and countermeasures.

TECHNICAL FIELD

This patent application claims priority to and the benefit ofprovisional patent application 62/908,191 filed Sep. 30, 2019, which isincorporated herein by reference in its entirety.

TECHNICAL FIELD

The field of invention relates to augmented analytics, and moreparticularly to predicting and reducing fraud, and modifying policies ormanagement for risk of fraud, using augmented analytics.

BACKGROUND

Ever larger amounts of data are available to businesses and theircustomers. Some may come through deliberate entry or submission andretention. Other can be collected passively through the vast array ofnetworked devices and communication channels available today. Users'locations, activities, purchasing habits, communication, et cetera, canall be aggregated when permissions are granted to access and share data.This information is dramatically more complex and fulsome thaninformation routinely utilized in, e.g., actuarial data sets.

While a great deal of resources are committed to collecting,communicating, and aggregating this data, it is not always useful. It isoverwhelming to any human observer. To begin to grasp informationtherein, computers have been utilized. However, it is not wellunderstood how to best harness the use of computers in this regard.

Fraud detection remains a challenge and results in dramatic losses forfinancial service companies. As sensors and network connectionsproliferate, volumes of data are becoming available that could be usedto identify new factors or combinations of factors that are suggestiveof fraud. It would be beneficial to develop a system that could identifyreal-time transactions involving fraud risk, particularly relating topreviously undiscovered correlations which may be discoverable throughmachine learning.

One aspect which could be improved is the prediction and reduction of,or adjustment for, fraud in real-time transactions. There is a need fornew techniques to utilize data to improve and increase efficiency infraud avoidance.

SUMMARY

The needs existing in the field are addressed by the present disclosure,which relates to systems, methods, and computer usable media forpredicting and reducing or avoiding fraud.

In an embodiment, a method comprises ingesting fraud data related to afraud event. The fraud data includes contextual data describing contextsurrounding the fraud event, and the fraud data is ingested to anindividual record associated with an entity involved in the fraud event,and wherein the individual record has a record format. The method alsocomprises ingesting real-time transaction data, wherein the real-timetransaction data includes data describing a requested transaction andtransactional contextual data associated with the requested transaction.The method also comprises determining whether a correlation match existsbetween the fraud data and the real-time transaction data and causing anaction to close the real-time transaction associated with the real-timetransaction data based on the correlation match. Closing the real-timetransaction includes causing completion of the real-time transactionwhen the correlation match does not exist, and closing the real-timetransaction includes freezing the real-time transaction when thecorrelation match exists.

In another embodiment, a system comprises a non-transitorycomputer-readable medium storing instructions. The instructions areconfigured to effectuate a data ingestion component configured to ingestfraud data related to a fraud event and real-time transaction datarelated to a real-time transaction request, wherein the fraud dataincludes contextual data describing context surrounding the fraud event,wherein the real-time transaction data includes data describing arequested transaction and transactional contextual data associated withthe requested transaction, wherein the fraud data is ingested to anindividual record associated with an entity involved in the fraud event,and wherein the individual record has a record format. The instructionsare configured to effectuate a correlation component configureddetermine whether a correlation match exists between the fraud data andthe real-time transaction data. The instructions are also configured toeffectuate a user interface configured to provide a notification basedon the correlation.

This summary is intended to provide a short description of some aspectsonly. Additional and alternative details will be apparent on review ofother portions of this disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flowchart of an example methodology disclosed herein.

FIG. 2 is a block diagram of an example system disclosed herein.

FIG. 3 is a flowchart of an example methodology disclosed herein.

FIG. 4 is a block diagram of an example system disclosed herein.

FIG. 5 is a block diagram illustrating an example implementation of adevice which can be utilized in conjunction with or comprise a portionof systems disclosed or execute methods herein; and

FIG. 6 is a block diagram of a computer system that be used to implementat least a portion of aspects herein.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

Certain tools for analyzing data in the context of account managementand fraud prevention can be improved through the development ofaugmented analytics technologies which can be used to develop actionableinsights. Conventional techniques lack such capability. For example,human programmers or scientists can inject bias into the analysis cycleby creating routines that search for known relationships. Seeking tobreak these biases dramatically increases the labor required and doesnot guarantee actionable outcomes. However, without such constraints,the data is not pared down, or coincidental and irrelevant factorsassociated with a particular event may be distracting or increase labor.One of several problems concerns how to fully explore available datawithout increasing human labor burdens beyond available levels. Anothersuch problem involves taking the results of such detailed analysis anddiscerning real-world actions that can be taken in response. Aspectsdisclosed herein provide a technological improvement and practicalapplication of aspects described to solve these and other problems. Inparticular, the improvements disclosed herein practically apply suchanalyses to identify fraud risk or events and countermeasures orcorrective actions based thereon. This constitutes a practicalapplication thereof by freezing or completing a transaction based on theresult of the analysis.

Embodiments herein concern the use of augmented analytics to provideactionable feedback that detects, reduces, and/or prevents fraud. Theevents, context, circumstances, statuses, et cetera, around fraud eventscan be analyzed to determine which aspects thereof correlate with fraudor attempted fraud. Circumstances or combinations of circumstances (atone time or occurring over time) can be correlated with fraud.Thereafter, circumstances surrounding transactions (e.g., ongoingtransactions, requested transactions, recent transactions, accountaccess requests, credential requests or requests to reset credentials,account information change, large transactions, frequent transactions,infrequent transactions, account opening or closure, et cetera) can beanalyzed in real-time and when circumstances correlating with fraud aredetected action can be taken in response, such as blocking or completingthe transaction, notifying parties involved, changing security orcredentials, requesting further verification, et cetera. Moreover,proactive actions can be taken based on circumstances correlating withfraud in the absence of a transaction, such as taking preemptive actionto reduce correlation with fraud, assist at-risk parties before theirnext transaction is completed, et cetera.

Artificial intelligence (AI) or machine learning (ML) herein can includea variety of techniques for discovering correlations or refininganalyses performed while searching for patterns or correlations.Supervised machine learning involves training of an agent using labeledtraining data as a set of training examples. In this manner, exampleswhich are provided to identify relationships can be mapped to new datawhere relationships are not identified. Unsupervised learning, incontrast, can analyze data that has not been labeled, classified,categorized, or otherwise prepared with details for how to identifyrelationships, correlations, patterns, et cetera. Reinforcement machinelearning involves the ingestion of additional data to allow the AI/MLagents to self-improve based on the additional feedback or evaluationdata and application of their current calculations to data representingactual outcomes based on their previous calculations. Machine learningtechniques utilized herein can ingest data and determine values based oningested data using, e.g., categorization, regression, transcription,translation/machine translation, structure output determination, anomalydetection, synthesis and sampling, imputation of missing values,denoising, density estimation or probability mass function estimation,or other techniques.

FIG. 1 illustrates an example methodology 100 for predicting andrecognizing fraud. Methodology 100 begins at 102 and proceeds to 104where rich fraud data is received. Rich fraud data can include any andall available data relating to a known or suspected fraud event. Inembodiments, non-fraud-related data can also be received, e.g., datarelating to third parties and/or all entities who could (based onassets, accounts, et cetera), but did not, experience fraud. In thismanner, biases present in data that would occur by analyzing only thoseentities that actually experience fraud or attempted fraud (e.g.,survivorship bias, incidence-prevalence bias, exclusion/inclusionbiases) can be avoided. Moreover, collecting data continuously andanalyzing data before and after losses can avoid length or durationbias. Thus, maximizing available data can allow both positive andnegative results (e.g., how to assess the likelihood of an event or thelikelihood that the same event will not occur) can be explored in themost rigorous manner. Fraud data and non-fraud-related data, and/orcontextual data related with either, and can include (but is not limitedto) actions, behaviors, statuses, locations, accounts, assets,liabilities, et cetera. In embodiments, fraud data or contextual can bereceived that describes more than one entity or individual.

Data may be received in a prepared state, or can be prepared andprocessed utilizing machine learning or various rule-based approaches.While the term “machine learning” is used here, it is understood thatdeep learning, neural networks, and other intelligent approaches areembraced by the disclosure herein.

Rich fraud data, non-fraud data, and/or contextual data can be stored ina record associated with each individual or entity to which the analysesdescribed herein are applied. Records can be stored in a database ofsimilar records (e.g., describing an individual or entity). A record canhave a plurality of fields. Fields can be identified and populated bymachine learning (or other techniques) during ingestion of data foranalysis. Machine learning (or other techniques) can performed datapreparation to strip out incongruent data, prepare relevant data, andidentify patterns in a manner avoiding the biases and inefficiencies ofhuman data scientists. Generation and updating of records can occurduring data prep and ingestion. This can include population of metadataassociated with identified “payload” data (e.g., the informationingested describing the entity to which the record corresponds) todescribe the data itself in terms of, e.g., confidence, source, time ordate stamp, original format (to the extent that the payload isreformatted for database uniformity), identification of related fieldsin the record or other records, et cetera. Records can also have sharedfields, or shared records can exist, that either refer to or populatethroughout a variety of records to which they apply (e.g., data pointsdescribing events or aspects applicable to populations of more than one,such as financial market activity, political events, weather events,other public events, et cetera). Records need not be fixed in size orfields, and in embodiments, fields can be dynamically added to one ormore records as identified by machine learning (or other techniques). Inthis regard, payload data and metadata can be organized to allow fordetailed analysis of records to discover patterns or trends relating tothe entity or entities at large in a consistent manner across ingesteddata.

It is to be understood that, with respect to one individual, theirindividual activity data may be contextual data for a third party, andvice versa. Thus, when looking at groups of members, each can beindividually analyzed (e.g., their individual activity data can becorrelated) with respect to one another, as can parties that do or donot experience fraud and/or third parties. Further, contextual data neednot apply specifically to any one entity, but may apply to two or moregenerally as discussed herein. Still further, an individual's earlierindividual activity data may be contextual data for that individual at alater time (e.g., context pertaining to that individual relating to whenthey experienced or avoided a fraud event can be correlated to futurecontext to discover opportunities that may repeat previous success oravoid previous problems).

Data or data points can be analyzed to correlate an event to some otherdata point(s). The other data points can include contextual data.Contextual data can include a variety of data or data sources which canbe analyzed for correlation with the event. Contextual data can be otherevents (e.g., eating breakfast at 6:30 AM EDT, a particular date of afailed and unauthorized attempt to access an account, days until orsince a recent federal holiday), states or conditions (e.g., thepresence of particular software on a device, an account balance), otherinformation which can be quantified or qualified, or changes anddifferentials thereto (e.g., driving 15 mph faster than previous day,spending more at an establishment for two successive months). Theparticular values, ranges, or incidences (e.g., whether or not somethingoccurs, how many times it has occurred, a measurement quantifying one ormore occurrences), et cetera, are parameters of the contextual data.Contextual data can be grouped in types. These can include, innon-limiting examples intended not to constrain but to suggest thespirit of possible types, such as an “app” type that would identify andcharacterize a mobile application as well as its usage, et cetera; a“food” type that would identify and characterize food purchased orconsumed in terms of, e.g., costs, time of purchase or consumption,amounts, nutrition et cetera; a “movement” type that counts stepswalked, miles driven, speed, orientation, acceleration, et cetera; andso forth. Where contextual data becomes richer, a new field can be addedfor new parameters (e.g., if a mobile device's health sensor is enabledand heartrate becomes available when it previously was not, a new fieldcan be added to one or more “health” types).

Fraud events herein can be, for example, one or more actual or suspectedfraud events (e.g., real-time financial transactions), such as onlinepurchases or other electronic or in-person financial transactions,access or access attempts to accounts, improper or false identification(as a document or an attempt by a person to pass themselves off asanother), attempts to change passwords, attempts or inquiries to accessinformation, spear phishing or other targeted attempts to steal orbreach access or information, et cetera. Types of fraud can relate toany financial instruments including one or more of checks, debit cards,credit cards, electronic transactions, and opening or closing ofaccounts, et cetera. Other events of interest to service providers, suchas suspected fraud, or events separate from fraud that nonethelesscomprise the security or perception of security for account holders(e.g., attempted fraud) can also be determined. Events and context datacan include fields or parameters identifying the particular source ofthe data as an individual or entity as well as include fields orparameters linking the sources/entities to demographic and other detailsallowing for aggregation and grouping. More generally, events can be anyevent, and can be used (with other information such as statuses) tocorrelate to fraud events.

In a more specific example, “public” events that apply to more than oneperson are also included in those events analyzed: financial marketactivity, political or social activity, disruptions to travel orbusiness, disasters, weather, and so forth. Events can include entityaction data, which includes data describing something a member does ordoes not do. In comparison, events that would not be characterized as“entity action data” would be events that occur in the same mannerindependent of entity behavior. Events that do not comprise entityaction data may still influence events included in entity action data,but entity action data will rarely, if ever, influence events that arenot entity action data. For example, an entity's behavior would notinfluence the occurrence of an earthquake, and an average individualentity's retirement account allocations are unlikely to move a majorstock index in any observable manner; but an earthquake or stock indexchange may influence an entity's action and entity action datareflective thereof.

Rich fraud data, and/or non-fraud data, can include (but is not limitedto) information provided through application or periodic updatequestionnaires, and, where authorization is given to access one or moreother sources, cellular or mobile device data (including location, owneractivity, social media activity and interactions, communications withothers, applications installed and application usage, web history andusage, et cetera), purchasing or spending data (including types ofpurchases, time of purchases, frequency of purchases, subscriptions, etcetera), vehicle data (including gas consumption, performance, driverbehavior, et cetera), Internet of Things device data (e.g., datareceived from smart vehicles or appliances including usage, activitydetected thereabout), health data (e.g., from device sensors thatmeasure physical activity, sleep, diet, heart rate, blood pressure, etcetera; from healthcare providers; et cetera), financial data (e.g.,from financial institutions, employers, et cetera), employment data,relationship data (and data from known relations such as spouses,parents, children, siblings, friends, coworkers, et cetera), educationaldata, marketing data, location data (for locations where a party spendstime, such as economic data, crime data, health data, environmentaldata, income data, et cetera, or information about services availableand other similar in an area), hobbies, habits, entertainment,demographic data, et cetera. Such data can relate to individuals, legalentities, groups thereof, and various other accounts, assets,identities, or things that can be stolen or defrauded. Each of these canbe classified or characterized as a particular parameter or data type.Rich fraud data can also include a confidence level associated with eachdata point, which can rank or weight particular types of data based ontheir source (e.g., directly from entity to which data relates, from asource or post associated with the entity to which the data relates,from a third party), the absence or presence of corroborating data(e.g., second data point indicating a similar or related conclusion to afirst data point), or other means.

The rich fraud data (or other data) can include bothcurrent/real-time/rolling data about entities possessing accounts,assets, or identities posing fraud risk. Data received or available fromdatabases can also include past data of the same type or class as thecurrent/real-time/rolling data to allow for comparison and analysis ofsimilar parameters or types as well as cross-analysis of disparateparameters or types. While “rich fraud data” or “fraud data” may be usedto describe individual instances of fraud, it is understood that datacan be aggregated and analyzed with relation to more than one instanceor related party. Thus, where in this disclosure a reference is made to“fraud” or an entity in the singular, it is understood that the pluralmay be aggregated and analyzed without departing from the scope orspirit of the innovation.

At 106, correlations between events (e.g., financial fraud or absencethereof) can be analyzed. Correlations can be found between parametersand a single event or multiple events. This involves analyzing currentdata, or a particular entity's data, in view of the larger data sets forall entities or relevant subsets of entities for the available historyas to a given parameter or data type. Such correlations can bedetermined through multiple iterations of machine learning analysis. Inan embodiment, unsupervised machine learning can analyze recent orcurrent contextual data for one or more parties at risk of fraud todetermine a set of strongest correlations. For example, several hundredcorrelations may be identified and ranked according to the strength ofcorrelation. Trained analysis or feedback can be provided to select ordiscard correlations among those identified based on whether thecorrelation exceeds a threshold, the value of the event (e.g., wheremultiple possible fraud events are correlated, the amount at stake ifthe correlated fraud occurs in any one instance), and/or the utility ofa given correlation. As to utility, for example, coincidental oruncontrollable correlations—such as cloudless, sunny days occurring inJacksonville 52 and 37 days before fraud occurred in San Diego—can bediscarded. However, the presence and frequent use of a particular app onmobile phones correlating to identity theft attempted against thoseusers can be retained. In embodiments, the correlations presented can befiltered according to a threshold of likelihood that an event occurs ata given time or at any point in the future. This can be implementedthrough supervised machine learning, or involve presentation to trainedpersonnel through a user interface and allow for human input used todetermine actionable correlations. In embodiments, an actionablecorrelation is one in which the correlation informs at least one aspectwithin the control of an involved entity, to change the probability ofan event, and/or reduce or increase correlation as to that event. Inembodiments, the value of the event can be used as a weight inassociation with one or both of a correlation threshold or utilityindication to assist with ranking, rather than a separate basis forselecting or discarding a given correlation.

As discussed above, the data received can include real-time transactiondata (and other data), which may be received at 108. The real-timetransaction data can include any data associated with or related to thereal-time transaction. Examples of such real-time transaction data caninclude data required to complete the transaction (or a sanitizedversion thereof to prevent spillage of sensitive data), as well ascontextual data around the transaction and parties involved in thetransaction. Data related to the transaction (which may be contextualdata or transaction data) can include, e.g., time, voice tone,transaction history, biomarkers, location, and transaction type, etcetera.

At 110 a comparison is made between the real-time transaction data andthe rich fraud data. This comparison can, in embodiments, operatesubstantially similarly to the correlation determination made at 106 asdiscussed above. This may, in embodiments, invoke supervised machinelearning, or an iteration of unsupervised followed by supervised machinelearning, to determine if an event of fraud has likely occurred. Thiscomparison at 110 can include (but is not limited to) identifying acorrelation match between the real-time transaction data and one or moreknown or unknown fraud suspects. This can be achieved, for example, byidentifying one or more markers for the fraud suspects and then flagginga present marker existent in the real-time transaction data. Examples ofsuch markers can include but are not limited to, e.g., origin, voiceprint, behavior pattern, et cetera.

In an alternative embodiment, methodology 100 can omit aspects at 106,and proceed to determine correlations only after real-time transactiondata is received. In such embodiments, at 110, correlations aredetermined between previous fraud/fraud attempt events and the detailsof the real-time transaction to which the data relates, includinganalysis of all of the contexts surrounding both the rich fraud data andthe real-time transaction data.

At 112 a determination is made as to whether an actionable correlationrelating to a possible fraud is found. Actionable, in this regard, canrefer to a finding that is timely. “Timely,” in this context, meansbefore the occurrence of an event that renders the action moot (e.g.,closure of an account at risk of fraud, expiration of an identificationthat has been compromised, change of vital statistics) with timeavailable to act before such inevitability; and in embodiments may alsorefer to being within a chronological proximity of such predicted eventso that it is relevant to the member or membership target beingcontacted (e.g., notify increase fraud protection one month to two weeksbefore predicted international travel so that the offer is relevant butmade with sufficient time to consider).

Actionability, in certain embodiments, can be based on a particular typeof action (e.g., change in behavior or use, security measure, contactingthird party, et cetera) is likely to result in the desired outcome(fraud avoidance). “Likely” here can be relative; while it may not beeffective for all parties, it may be worth incentivizing in all cases aseven a 5% fraud avoidance would be cost-effective for the partyperforming methodology 100 or a party indemnifying or cost sharing withthe entity being analyzed. Moreover, costs may be associated withoffering the incentive (e.g., by mail, using human labor to call orvisit property or persons, by automated email), and such means ofwarning of possible loss may also be factored into cost-benefitanalyses. Costs can be compared with a projected benefit (e.g.,projected savings from avoided losses due to reimbursed fraud, projectedincome from accounts retained due to avoidance of non-reimbursed fraudlosses). Where the likelihood of 1) parties taking the corrective actionto avoid the possible fraud and 2) savings by preventing a sufficientamount of fraud loss does not justify the expenditure, the fraud riskmay not be actionable.

Actionability, in certain embodiments, can be based on closing orreconciling a “context difference.” Where the context data containingloss events is analyzed for correlations with individual activity datafor an entity at risk of fraud correlate, but also include differencesthat independently correlate to the occurrence or non-occurrence of theenrollment or deepening event, a correlation can be found actionablewhen the entity or another interested party can take an action to closeor reconcile that difference. For example, where context data shows networth above a certain threshold increases the likelihood that fraudavoiding action is taken in a variety of circumstances, the entity maybe offered incentives, rebates, rate accommodations, or advice to assistwith achieving that net worth. Similar actions could be taken regardingunderstanding of finances, products, world events; access to certainprivate or subscription-based information; professional or socialcontacts; regularity of personal contact with a member servicesrepresentative (“MSR”) or other representative of an organizationresponsible for detecting or addressing fraud; et cetera. Theseforegoing details are provided only for purposes of example, and otheroptions will be appreciated on review of the disclosure herein.

In embodiments, techniques herein need not be standalone machinetechniques, but may be used to augment one or more human MSRs who areactively working to prevent, detect, and/or mitigate fraud. For example,a trigger to cause updated analysis can be scheduled or actual contactbetween an MSR and a member/account. Before or during the contact, theMSR can be provided actionable insights intended to improve thelikelihood of preventing or mitigating fraud. Moreover, while “MSR” isgenerally used in the context of one membership organization'srepresentatives, in embodiments data sharing may occur between multipleorganizations and techniques herein can be leveraged to provide thirdparties or complementary representatives capabilities to better serviceindividuals. In this manner, systems, methods, products, services, etcetera described herein can be “organization agnostic.”

Actionability may additionally be based on whether any action isavailable. For example, if the user has disabled messaging from theinsurer/indemnifier, or if the phone number available is disconnected,the location of an asset that could be subject to fraud attempts isunknown, or if no action can be completed to close a context difference(either because it is impossible or because the cost of performing suchaction exceeds a threshold), the determination at 112 may returnnegative.

If the determination at 112 returns negative, methodology 100 canproceed to 114 where the real-time transaction can be closed, completed,or handled by permitting the real-time transaction to proceed (e.g., tocomplete the transaction). Thereafter, methodology 100 can recycle to104 and continue monitoring.

If the determination at 112 returns positive, methodology 100 canproceed to 116 where the real-time transaction can be closed, completed,or handled by prohibiting the real-time transaction from proceeding(e.g., to freeze the transaction). Other actions can also be takenautomatically or based on responses provided from notified MSRs oradministrators (e.g., trace the phone number or IP address, notify theholder, contact law enforcement).

Upon freezing the real-time transaction at 114, methodology 100 canproceed to 118 where an alert or notification can be issued to one orboth of the user and issuer (e.g., insurer, bank, card issuer, loanservicer, et cetera) using an interface. In various embodiments, aspectsat 118 (or elsewhere) can determine a trigger for initiating an actiondescribed herein. In various embodiments, triggers can be set forimmediate or “when able,” on-demand at a time to be determined,scheduled for a specific time, or based on the occurrence ornon-occurrence of an event. Examples can include, but are not limitedto, immediate email or phone call (automated or by MSR) to discuss apredicted future fraud risk; phone call when an abnormality is detectedin one or more accounts or access attempts; a trigger with respect to aspecific issue to be raised on the next contact received from thecustomer regardless of when that occurs or what issues such contactpertains to; or a social media communication sent after 5:00 PM(member's local time) on a specific date and time that will be timely atthat time. As will be understood, these brief examples (like all herein)are provided for purposes of example only, and the issues, events,times, communication channels, triggers, et cetera, can vary withoutdeparting from the scope or spirit of the innovation.

Thereafter, at 120, methodology 100 can end, or may recycle to 104 orany other aspect.

Aspects at, e.g., 110, 112, or 118, or in alternative or complementaryembodiments elsewhere in methodology 100, natural language processingcan be utilized to more clearly communicate inputs and outputs relatedto the analyses. For example, effectuation of an action at 118 can beprocessed through natural language processing to automaticallyeffectuate personalized communication with the user to report fraud orsuspected fraud, or provide instructions to an MSR or third party toguide personalized communication related thereto. In alternative orcomplementary embodiments, a query can be posed by an MSR, or by anexisting or prospective member, to a system operating methodology 100 oraspects thereof, and natural language processing can be used to initiateanalyses using techniques described herein to provide a response to thequery, which can be converted back to natural language to respond. Forexample, an MSR may ask for the events or statuses that correlate to aparticular user's highest risk of fraud, or a user may ask how to avoidfraud while stationed abroad. In these and other instances, availablecontextual data can be analyzed to provide feedback likely to answerthese example (or other) queries. Finally, natural language processingcan be utilized, in alternative or complementary embodiments, at 104 orother instances where data is ingested, allowing non-technical users todescribe the data or a data point value such that it can be ingested andutilized to populate fields in user records.

FIG. 2 illustrates an example system 200 for predicting and reducingfinancial fraud events. System 200 includes data ingestion component202, data preparation component 204, user interface component(s) 206,unsupervised machine learning component 208, supervised machine learningcomponent 210, fraud detection database 212, correlation component 214,and transaction approval component 216.

Data ingestion component 202 can be one or more communicativeconnections to various data sources to populate records (e.g.,individual records with histories of fraud, individual records with nohistory of fraud, social media, news reporting, partner entitydatabases, et cetera), and can serve as an intermediary between one ormore databases (including but not limited to fraud detection database212) and other components herein. In embodiments, data ingestioncomponent can include various interfaces to devices or network locationsto receive current/real-time/continuous context data regarding entitiesat risk of fraud, both for analysis and to build fraud detectiondatabase 212.

Data preparation component 204 can prepare data according to its classor type to complete ingestion and allow for its systematic storage in,e.g., fraud detection database 212. Preparation can occur usingsupervised machine learning, and may utilized unsupervised machinelearning or reinforcement machine learning based on results fromsupervised machine learning over time. Data preparation component 204can reduce the labor component of analysis for large sets of data fromknown data streams, and may correlate new data streams to known datatypes to establish a new data structure or type for its consistentstorage and ease of analysis thereafter. Data preparation can includearranging the data according to records, which can have predetermined orunconstrained field options (and, in the latter case, machine learningor other techniques may define new fields on-the-fly), and can includemetadata associated with payload data to reflect the age, associatedconfidence level, source, et cetera, of said respective payload data orother record information. Records as described herein, or “raw” orotherwise-arranged individual activity data and contextual data, can bestored in fraud detection database 212 and/or other databases.

Interface(s) 206 can be one or more components or subcomponents thatcommunicate with one or more of data sources, a party at risk of fraud(e.g., to provide an alert, recommendation, notification of credit orpenalty, et cetera), a service provider, an insuring/indemnifying partyor its agents (e.g., to provide alerts, notification of credit orpenalty, correlations for review, et cetera), fraud suspects, or others.Interface(s) 206 can be graphical user interfaces on applications(desktop or mobile) or websites, application programming interfaces(APIs), or other means for providing and/or receiving data.

Unsupervised machine learning component 208 provides unsupervisedmachine learning capability and can analyze one or more events (e.g.,fraud, attempted fraud) and parameters or historical data to determinewhether any correlations exist between that event and various ingesteddata points defining context around the event or similar events/eventtypes. Supervised machine learning component 210 provides supervisedmachine learning capabilities and can analyze one or more events andparameters or historical data to determine whether correlations existwith that event based on its training, which can change over time.

Correlations can be saved to a correlation data type with attributesquantifying the strength of particular correlations (based on, e.g., theconfidence in underlying data and/or the quantitative amount ofcorrelation). Correlations can involve interactions of two, three, ormore parameters (e.g., individual data points in context data), asabsolutes or over periods of time, and such periods of time can be thesame or differ for one or more of the parameters (e.g., daily minutes ofuse of application on mobile phone, weekly level of physical exercise,and two highest dollar amounts spent at coffee shops in singletransactions in reference to a particular type of loss). In embodiments,separate data types or data structures can be provided for correlationsbased on whether they are analyzed by unsupervised machine learning orsupervised machine learning. In such implementations, duplicate orhighly similar correlations can be found, but confidence or dataresolution can be increased through subsequent analyses performed withdifferent types of machine learning. In embodiments, a common data typecan be used, but a field or parameter can indicate the type(s) ofmachine learning applied to the correlation discovered.

In embodiments, correlations of correlations can be found by analyzingdifferent entries or sets of correlation type data in reference to oneanother. In this regard, the presence of one correlation may not providesignificant predictive effect, but the presence of multiplecorrelations, or correlated correlations, could provide insight as tothe likelihood of a particular event or the absence thereof. Thus, oneor both of unsupervised machine learning component 208 and supervisedmachine learning component 210 can analyze stored correlations inreference to events as the amount of correlation data grows. Inembodiments, conducting this type of analysis in real-time or overhistorical data can be used by reinforcement machine learning to improvethe predictive capability of the system based on context correlated withparticular outcomes or events.

In embodiment, a reinforcement machine learning component can also beprovided, but may be a subcomponent (or multiple subcomponents) ofunsupervised machine learning component 208, supervised machine learningcomponent 210, and/or correlation component 214. Moreover, one or bothof unsupervised machine learning component 208 and/or supervised machinelearning component 210 can be subcomponents of correlation component214, vice versa, depending on the architecture of system 200.

Fraud detection database 212 can be a database for storing event data,fraud data, and other data, as well as correlation data from analysisthereof. Fraud detection database 212 can maintain even initiallyunhelpful data, such as discarded correlations, for later re-analysis todetermine whether apparently inconsequential correlations vanish overtime or persist. Where previously discarded correlations persist, if thelength of persistence or level of correlation increases above athreshold, the discarded correlation may be flagged, promoted, orreinserted into the active (e.g., not discarded) correlations forconsideration.

Correlation component 214 can be provided to manage correlationsdiscovered by unsupervised machine learning component 208 or supervisedmachine learning component 210, and/or determine correlations by othertechniques not involving machine learning. For example, correlationcomponent 214 can utilize probabilistic programming, discrete math,linear programming, expert systems, et cetera. Moreover, correlationcomponent can include a rule-based or machine learning approach tomanaging data analyzed or correlations discovered by unsupervisedmachine learning component 208 or supervised machine learning component210, for example, by determining a data set is too small or short to bestatistically relevant and blocking its analysis until more data isreceived or discarding correlations with which the small data set isinvolved, or until the confidence level(s) of respective contextual datapoints involved in the correlation are near certain (e.g., confidenceover 90%).

Correlation component 214 can also be used to determine a contextdifference and determine one or more actions to reconcile or close thecontext difference. Actions reconciling or closing context differencecan be assessed by correlation component 214 and/or transaction approvalcomponent 216 to determine their feasibility.

Supervised or unsupervised machine learning can be invoked (withunsupervised machine learning component 208/supervised machine learningcomponent 210 or independently by correlation component 214) todetermine correlation with or probability of an outcome involving oravoiding fraud given the available data points relating to a possiblefraud target (e.g., member or customer) and associated record(s). Inembodiments, supervised machine learning component 210 (or othersupervised machine learning) can be used to determine realisticfraud-preventing actions, such as those that can reasonably beeffectuated by an interested entity, to counteract the correlation offraud with an entity's context or current events. Supervised machinelearning component 210 (or other supervised machine learning) couldlikewise be used to determine unrealistic actions for discarding thatmight be correlated with an outcome given particular contextual datapoints (e.g., because they cannot be accomplished, because otherentities decline or fail to maintain the recommendations above athreshold frequency, because a benefit (e.g., annual profit margin ofaccount times the probability it is compromised by fraud) of a certainaction falls below a certain threshold given a cost of taking thataction, et cetera). User input may be received for the same purposes,and may be ingested (e.g., using one or both of user interfacecomponent(s)206 and data ingestion component 202) for training ofsupervised machine learning or reinforcement learning. Transactionapproval component 216 can leverage and is operatively coupled withother components of system 200, including, e.g., user interfacecomponent(s) 206, unsupervised machine learning component 208,supervised machine learning component 210, correlation component 214,transaction approval component 218, et cetera, to determinetimely-actionable actions and act on them at appropriate times.Timely-actionable actions (e.g., fraud reduction actions) identified candefine a data type or class, and can be stored in fraud detectiondatabase 212.

Transaction approval component 216 can determine and implement how areal-time transaction should be closed or handled (e.g., whether thetransaction should be permitted to complete or be frozen and therebyprohibited from completing). Transaction approval component 218 can alsoreceive additional information from, e.g., user interface component(s)206 and/or correlation component 214 to determine whetheradditionally-obtained information (e.g., the completion of additionalsecurity measures, the provision of additional information to verifyauthenticity) is sufficient to change the closing or handling of thetransaction.

In alternative or complementary embodiments, system 200 can include anatural language processing component, or one or more of data ingestioncomponent 202, data prep component 204, transaction approval component216, and/or other components can include a natural language processingsubcomponent. In system 200 (or other systems and methods disclosedherein) natural language processing can be utilized to more clearlycommunicate inputs and outputs related to the analyses. For example,effectuation of an action by transaction approval component 218 can beprocessed through natural language processing to automaticallyeffectuate personalized communication with the fraud risk partyregarding the risk and countermeasure, or provide instructions to an MSRor third party to guide personalized communication related thereto. Inalternative or complementary embodiments, a query can be posed by anMSR, or by an existing or prospective member, to system 200 orcomponents thereof, and natural language processing can be used toinitiate analyses using techniques described herein to provide aresponse to the query, which can be converted back to natural languageto respond. For example, an MSR may ask for the events or statuses thatcorrelate to a particular user's highest risk of fraud, or a user mayask how to avoid fraud while stationed abroad. In these and otherinstances, available contextual data can be analyzed to provide feedbacklikely to answer these example (or other) queries. Finally, naturallanguage processing can be utilized, in alternative or complementaryembodiments, with data ingestion component 202 or data prep component204, allowing non-technical users to describe the data or a data pointvalue such that it can be ingested and utilized to populate fields inuser records.

FIG. 3 illustrates an example another example methodology 300 forleveraging augmented analytics. Methodology 300 begins at 302 andproceeds to 304 where, in embodiments, data can be ingested. Dataingested can include (but is not limited to) data types or data fromsources described herein. Data can relate to one or more individualmembers associated with statuses, assets, accounts, events, et cetera,presenting a fraud risk. Data can include individual data about theindividual stored in records, data on events (related or unrelated tothe individual), and any other available data.

At 306, data can be prepared in embodiments. Preparation of data caninvolve conversion or reformatting, normalization, or other processes tomake all ingested data common and usable. In embodiments, ingested datacan be statistically analyzed and outliers can be subjected to furtheranalysis to determine whether they should be weighted or discarded iferroneous or result in skewing of a corresponding data set. Preparationcan be concurrent with or part of ingestion such that both are completedafter the data is appropriately formatted for storage according to adata structure for the particular type or source. Metadata can beappended to payload data, or records in general, to assist withidentifying source, confidence, age, et cetera.

In embodiments where data is already available, methodology 300 canoptionally start at 308. Regardless of when initiated, at 308, data canbe analyzed for correlation of different datapoints. In embodiments, oneor more events can be identified in the data, and context and otherevents (concurrent, past, or, in embodiments, following the event) canbe correlated, whether causative or coincidental. Examples of events caninclude but are not limited to, e.g., an identity theft, an occurrenceof fraud, a response time outside a required level of service, a changeto membership or accounts, et cetera.

After determining one or more correlations, a determination is made asto whether a new correlation (e.g., finding correlation between datatypes, certain ranges of data types, or combinations of data types notpreviously associated with the event) is found at 310. If thedetermination returns negative, methodology 300 proceeds to 316 where adetermination is made as to whether an existing correlation is found. Ifthe determination at 316 returns negative, no correlations were foundand methodology 300 can end at 324.

If the determination at 310 returns positive, and a new correlationbetween events or events and surrounding context has been discovered,the correlation can be compared to others in a database storingpreviously correlated events and context at 312. As suggested, groups ofevents, or sets comprising a series of similar-typed events, can be usedto discover a correlation as opposed to viewing each event in isolationand as an independent driver of correlation. A determination is made at314, based on the comparison as to the similarity. If the comparisondetermines that the correlation is dissimilar to others, a newcorrelation entry can be made in the database at 322, unrelated andunlinked to others.

A correlation data structure, by which correlations can be stored, caninclude the data type or source correlated, parameters related thereto(values, ranges, times, incidences, recurrence, et cetera), the strengthof the correlation, confidence in the underlying information, and otherinformation. A correlation data structure can then be used as a basisfor comparison. For example, an entity can provide data including someor all of the data types and sources analyzed to discover correlations.Where data matches some or all of the kinds and corresponding parametersin a correlation entry, actions to avoid or prevent fraud can be takenbased on the likelihood (or absence thereof) regarding the eventscorrelated with those other events or context. Such actions can includebut are not limited to initiating automated communication over one ormore channels, prompting an MSR to initiate communication, promptinganother member or mutual contact to initiate communication on behalf ofthe membership organization, offering an incentive (e.g., payment,credit, coupon, discount, reward, et cetera) to change a securitysetting or account, sending advice or recommending improvements (e.g.,increase security, incentive to change to more secure platform orsystem), increasing general interaction (e.g., soliciting feedback,soliciting options to increase satisfaction, resolving a past complaint)to increase influence regarding fraud-avoiding activities, et cetera.

Returning to the methodology, if the determination at 314 returnspositive, methodology 300 proceeds to 320. This aspect is also reachedby way of 316. If the determination at 316 returns positive, methodology300 proceeds to 318 where a determination is made as to whether theexisting correlation entry identified should be revised. This can bedetermined based on any differences between the existing correlation andthe one discovered at 308. Supervised machine learning, statisticalanalyses, data representing feedback from human review, or othertechniques can be utilized to confirm an existing correlation andwhether differences in the correlation are such that an existing entryshould be revised based on identification of the same correlation withcertain differences (e.g., wider or narrower range of parameters for acorrelated type of context). If the determination at 318 returnsnegative, no further changes are required, and methodology 300 proceedsto end at 326, or may recycle to, e.g., 304, 308, or another aspect.

If the determination at 318 returns positive, methodology 300 proceedsto 320. Whether reached by 318 or 314, at 320, a correlation entry isused either to create a new entry (e.g., as a model) or to modify theexisting entry. In this manner, an entry is created or updated toreflect the most recent data and/or analyses.

Following 320 or 322, methodology 300 can, in embodiments, proceed to324 where a workflow can be updated. Updating a workflow can includetaking, changing, or stopping from various actions based on identifiedcorrelations to increase or decrease correlations or the likelihood ofan event's occurrence or absence (e.g., occurrence or avoidance offraud). Thereafter, at 324, methodology 300 can end at 326, oralternatively recycle to another aspect such as, e.g., 304, 308, etcetera.

FIG. 4 illustrates a system 400 for implementing aspects disclosedherein. System 400 includes ingestion interfaces 402 for receiving eventdata and context data, which can include access to other databases,application programming interfaces, graphical user interfaces, and othermeans for receiving data. Data lake 404 can receive information fromingestion interfaces 402 and be a comprehensive store of event data andcontext data.

Unsupervised machine learning component 406 can perform unsupervisedmachine learning on ingested data and historical data to ascertaincorrelations between one or more particular events (e.g., fraud oravoidance thereof) and context/data points. All correlations, whethercausative (or related in some other manner) or coincidental (orotherwise unrelated but for the correlation), can be determined usingunsupervised machine learning.

Supervised machine learning component 408 and/or correlation interface410 can be used to analyze the correlations discovered. Correlationinterface 410 can be an input/output interface configured to provideinformation to a human operator and receive data representing theirfeedback, or can be an interface connecting to another system orcomponent for reviewing correlations. Supervised machine learningcomponent 408 can include supervised machine learning trained to selector discard correlations based on determinations as to whether they arecausative or coincidental, whether they meet static or variablethresholds for correlation, whether they include any aspectscontrollable by a party involved or affected by the event or context, orother bases. One or both of supervised machine learning component 408and correlation interface 410 can be used to select correlations withutility for actionable decisions.

Correlation database 412 can store correlations found between variousevent data and context data, and various feedback or changes basedthereon. In embodiments, all correlations can be stored along withindications of whether such were selected or discarded. In embodiments,event or contextual data can also be stored in correlation database 412.

Management engine 414 can access correlation database to provideactionable feedback based on correlations identified. In embodiments,management engine can be operatively coupled with one or more interface(including but not limited to ingestion interfaces 402 and/orcorrelation interface 410) to receive information about a particularentity having context and determine whether that entity has correlationwith an event or non-event.

Based on a determination of correlation to an event or non-event bymanagement engine 414, update component 416 can determine actions totake to increase or decrease correlation or otherwise increase ordecrease the likelihood of a particular outcome through use ofsupervised machine learning component 408, unsupervised machine learningcomponent 406, or other rule-based or statistical analysis ofcorrelations in correlation database 412. In embodiments, updatecomponent can automatically update various policies, rules, automatedactions, or other communicatively coupled systems or tasks in responseto the correlation. This can include changing an action (such as thosedescribed throughout this disclosure), providing a credit, imposing apenalty, modifying a policy or contract, modifying a management term orrule, changing a security setting, creating communication “touchpoints”between party at risk of fraud and MSR or fraud reduction team, etcetera.

Aspects disclosed herein can be implemented using computer devices andnetworks. FIG. 5 illustrates a device 500. Device 500 may comprise allor a part of modules or components herein. Device 500 may comprisehardware or a combination of hardware and software. The functionality tofacilitate telecommunications via a telecommunications network mayreside in one or combinations of links, portals, or connections. Device500 depicted in FIG. 5 may represent or perform functionality of anappropriate device 500, or combination of modules or components herein.It is emphasized that the block diagram depicted in FIG. 5 is an exampleand not intended to imply a limitation to a specific implementation orconfiguration. Thus, device 500 may be implemented in a single device ormultiple devices. Multiple network entities may be distributed orcentrally located. Multiple network entities may communicate wirelessly,via hard wire, or any appropriate combination thereof.

Device 500 may comprise a processor 502 and a memory 504 coupled toprocessor 502. Memory 504 may contain executable instructions that, whenexecuted by processor 502, cause processor 502 to effectuate operationsassociated with aspects disclosed herein. As evident from thedescription herein, device 500 is not to be construed as software perse.

In addition to processor 502 and memory 504, device 500 may include aninput/output system 506. Processor 502, memory 504, and input/outputsystem 506 may be coupled together (coupling not shown in FIG. 5 ) toallow communications there between. Each portion of device 500 maycomprise circuitry for performing functions associated with eachrespective portion. Thus, each portion may comprise hardware, or acombination of hardware and software. Accordingly, each portion ofdevice 500 is not to be construed as software per se. Input/outputsystem 506 may be capable of receiving or providing information from orto a communications device or other network entities configured fortelecommunications. For example input/output system 506 may include awireless communications (e.g., WiFi/2.5G/3G/4G/5G/GPS) card.Input/output system 506 may be capable of receiving or sending videoinformation, audio information, control information, image information,data, or any combination thereof. Input/output system 506 may be capableof transferring information with device 500. In various configurations,input/output system 506 may receive or provide information via anyappropriate means, such as, for example, optical means (e.g., infrared),electromagnetic means (e.g., RF, WiFi, Bluetooth®, ZigBee®), acousticmeans (e.g., speaker, microphone, ultrasonic receiver, ultrasonictransmitter), or a combination thereof. In an example configuration,input/output system 506 may comprise a WiFi finder, a two-way GPSchipset or equivalent, or the like, or a combination thereof.

Input/output system 506 of device 500 also may contain communicationconnection 508 that allows device 500 to communicate with other devices,network entities, or the like. Communication connection 508 may comprisecommunication media. Communication media typically embodycomputer-readable instructions, data structures, program modules orother data in a modulated data signal such as a carrier wave or othertransport mechanism and includes any information delivery media. By wayof example, and not limitation, communication media may include wiredmedia such as a wired network or direct-wired connection, or wirelessmedia such as acoustic, RF, infrared, or other wireless media. The termcomputer-readable media as used herein includes both storage media andcommunication media. Input/output system 506 also may include an inputdevice 510 such as keyboard, mouse, pen, voice input device, or touchinput device. Input/output system 506 may also include an output device512, such as a display, speakers, or a printer.

Processor 502 may be capable of performing functions associated withaspects described herein. For example, processor 502 may be capable of,in conjunction with any other portion of device 500, managing socialmedia communications as described herein.

Memory 504 of device 500 may comprise a storage medium having aconcrete, tangible, physical structure. As is known, a signal does nothave a concrete, tangible, physical structure. Memory 504, as well asany computer-readable storage medium described herein, is not to beconstrued as a signal. Memory 504, as well as any computer-readablestorage medium described herein, is not to be construed as a transientsignal. Memory 504, as well as any computer-readable storage mediumdescribed herein, is not to be construed as a propagating signal. Memory504, as well as any computer-readable storage medium described herein,is to be construed as an article of manufacture.

Memory 504 may store any information utilized in conjunction withtelecommunications. Depending upon the exact configuration or type ofprocessor, memory 504 may include a volatile storage 514 (such as sometypes of RAM), a nonvolatile storage 516 (such as ROM, flash memory), ora combination thereof. Memory 504 may include additional storage (e.g.,a removable storage 518 or a nonremovable storage 520) including, forexample, tape, flash memory, smart cards, CD-ROM, DVD, or other opticalstorage, magnetic cassettes, magnetic tape, magnetic disk storage orother magnetic storage devices, USB-compatible memory, or any othermedium that can be used to store information and that can be accessed bydevice 500. Memory 504 may comprise executable instructions that, whenexecuted by processor 502, cause processor 502 to effectuate operationsfor, e.g., listening to social media activity.

FIG. 6 illustrates a computer-based system 600 that may constitute,include parts of, or be used to realize one or more of aspects of, e.g.,systems or methodologies and techniques described herein. Computer-basedsystem 600 includes at least one processor, such as a processor 602.Processor 602 may be connected to a communication infrastructure 604,for example, a communications bus, a cross-over bar, a network, or thelike. Various software aspects are described in terms of this examplecomputer-based system 600. Upon perusal of the present description, itwill become apparent to a person skilled in the relevant art(s) how toimplement the present disclosure using other computer systems orarchitectures.

Computer-based system 600 includes a display interface 606 that forwardsgraphics, text, or other data from communication infrastructure 604 orfrom a frame buffer (not shown) for display on a display unit 608.

Computer-based system 600 further includes a main memory 610, such asrandom access memory (RAM), and may also include a secondary memory 612.Secondary memory 612 may further include, for example, a hard disk drive614 or a removable storage drive 616, representing a floppy disk drive,a magnetic tape drive, an optical disk drive, etc. Removable storagedrive 616 reads from or writes to a removable storage unit 618 in awell-known manner. Removable storage unit 618 may represent a floppydisk, magnetic tape, or an optical disk, and may be read by and writtento by removable storage drive 616. As will be appreciated, removablestorage unit 618 includes a computer usable storage medium havingcomputer software or data stored therein.

In accordance with various aspects of the present disclosure, secondarymemory 612 may include other similar devices for allowing computerprograms or other instructions to be loaded into computer-based system600. Such devices may include, for example, a removable storage unit 620and an interface 622. Examples of such may include a program cartridgeand cartridge interface (such as that found in video game devices), aremovable memory chip (such as an erasable programmable read only memory(EPROM), or programmable read only memory (PROM)) and associated socket,and other removable storage units and interfaces, which allow softwareand data to be transferred from removable storage unit 620 tocomputer-based system 600.

Computer-based system 600 may further include communication interface624. Communication interface 624 may allow software or data to betransferred between computer-based system 600 and external devices.Examples of communication interface 624 include, but may not be limitedto a modem, a network interface (such as an Ethernet card), acommunications port, a Personal Computer Memory Card InternationalAssociation (PCMCIA) slot and card, or the like. Software or datatransferred via communication interface 624 may be in the form of anumber of signals, hereinafter referred to as signals 626, which may beelectronic, electromagnetic, optical or other signals capable of beingreceived by communication interface 624. Signals 626 may be provided tocommunication interface 624 via a communication path (e.g., channel)628.Communication path 628 carries signals 626 and may be implemented usingwire or cable, fiber optics, a telephone line, a cellular link, a radiofrequency (RF) link, or other communication channels.

In this document, the terms “computer readable medium,” “computerprogram medium.” and “computer usable medium” are used to generallyrefer to media such as removable storage drive 616, a hard diskinstalled in hard disk drive 614, or the like. These computer programproducts provide software to computer-based system 600. The presentdisclosure is directed to such computer program products. Unlessotherwise articulated, such media are intended to be non-transitory.

Computer programs (also referred to as computer control logic) may bestored in main memory 610 or secondary memory 612. The computer programsmay also be received via communication interface 604. Such computerprograms, when executed, enable computer-based system 600 to perform thefunctions consistent with the present disclosure, as discussed herein.In particular, the computer programs, when executed, enable processor602 to perform the features of the present disclosure. Accordingly, suchcomputer programs represent controllers of computer-based system 600.

In accordance with an aspect of the present disclosure, where thedisclosure is implemented using a software, the software may be storedin a computer program product and loaded into computer-based system 600using removable storage drive 616, hard disk drive 614, or communicationinterface 624. The control logic (software), when executed by processor602, causes processor 602 to perform the functions of the presentdisclosure as described herein.

A broad scope and variety of systems, methods, and computer products aredisclosed herein. In an example, a method comprises ingesting fraud datarelated to a fraud event. The fraud data includes contextual datadescribing context surrounding the fraud event, and the fraud data isingested to an individual record associated with an entity involved inthe fraud event, and wherein the individual record has a record format.The method also comprises ingesting real-time transaction data, whereinthe real-time transaction data includes data describing a requestedtransaction and transactional contextual data associated with therequested transaction. The method also comprises determining whether acorrelation match exists between the fraud data and the real-timetransaction data and causing an action to close the real-timetransaction associated with the real-time transaction data based on thecorrelation match. Closing the real-time transaction includes causingcompletion of the real-time transaction when the correlation match doesnot exist, and closing the real-time transaction includes freezing thereal-time transaction when the correlation match exists.

Specific embodiments of the foregoing method can provide additionaldetails. Another example embodiment of the example method can compriseproviding a notification that the real-time transaction has been frozen.Another example embodiment of the example method can comprisedetermining a context difference between the fraud data and thecontextual data. Another example embodiment of the example method cancomprise determining an action to reconcile the context difference.Another example embodiment of the example method can comprise preparingat least one of the fraud data and the real-time transaction dataaccording to the record format. In another example embodiment of theexample method, machine learning identifies one or more fields of therecord format to be populated by the fraud data and the real-timetransaction data. In another example embodiment of the example method,the record format is dynamically updated based on identification of anew field type by the machine learning.

In an example, a system comprises a non-transitory computer-readablemedium storing instructions. The instructions are configured toeffectuate a data ingestion component configured to ingest fraud datarelated to a fraud event and real-time transaction data related to areal-time transaction request, wherein the fraud data includescontextual data describing context surrounding the fraud event, whereinthe real-time transaction data includes data describing a requestedtransaction and transactional contextual data associated with therequested transaction, wherein the fraud data is ingested to anindividual record associated with an entity involved in the fraud event,and wherein the individual record has a record format. The instructionsare configured to effectuate a correlation component configureddetermine whether a correlation match exists between the fraud data andthe real-time transaction data. The instructions are also configured toeffectuate a user interface configured to provide a notification basedon the correlation.

Specific embodiments of the foregoing system can provide additionaldetails. In another example system, the instructions are furtherconfigured to effectuate a transaction approval component configured tocomplete the real-time transaction or freeze the real-time transactionbased on the correlation match. In another example system, theinstructions are further configured to effectuate a data preparationcomponent configured to prepare at least one of the fraud data and thereal-time transaction data according to the record format. In anotherexample system, the instructions are further configured to effectuate afraud detection database. In another example system, the correlationcomponent is configured to cause an action to close the real-timetransaction associated with the real-time transaction data based on thecorrelation match; closing the real-time transaction includes causingcompletion of the real-time transaction when the correlation match doesnot exist; and closing the real-time transaction includes freezing thereal-time transaction when the correlation match exists. In anotherexample system, the correlation component is configured to determine acontext difference between the fraud data and the contextual data. Inanother example system, the correlation component is configured todetermine an action to reconcile the context difference.

Aspects similar to the example method(s) or system(s) can be embodied ininstructions on a computer readable medium or other computer productthat when executed or utilized effects processes like those of themethod or other systems herein.

In embodiments, one or more methodologies herein can be combined in anyorder, or aspects of methodologies can be re-ordered. Methodologies oraspects thereof may be performed simultaneously or in conjunction. Inthis manner, the methodologies described and other aspects of systemscan be implemented in integrated manners to provide asset management.Methodologies can proceed iteratively until all anomalies are identifiedand/or an entire asset or group of assets is inspected. Methodologiesherein can proceed iteratively until all anomalies are addressed orfurther resources are unavailable to address any anomaly.

While systems and methodologies herein are described separately, it isunderstood that techniques, functionality, routines, and aspects of thesystems can be performed by or implemented in the methodologies, andvice versa.

The present disclosure can be implemented in hardware such as, forexample, computing hardware and/or application specific integratedcircuits (ASIC), software, or combinations of hardware and software.Implementation of a hardware machine, software, or combinations thereofto perform functions described herein will be apparent to personsskilled in the relevant art(s).

Various aspects disclosed herein are to be taken in the illustrative andexplanatory sense, and should in no way be construed as limiting of thepresent disclosure. All numerical terms, such as, but not limited to,“first” and “second” or any other ordinary or numerical terms, shouldalso be taken only as identifiers, to assist the reader's understandingof the various aspects, variations, components, or modifications of thepresent disclosure, and may not create any limitations, particularly asto the order, or preference, of any aspect, variation, component ormodification relative to, or over, another aspect, variation, componentor modification.

It is to be understood that individual features shown or described forone aspect may be combined with individual features shown or describedfor another aspect. The above described implementation does not in anyway limit the scope of the present disclosure. Therefore, it is to beunderstood although some features are shown or described to illustratethe use of the present disclosure in the context of functional segments,such features may be omitted from the scope of the present disclosurewithout departing from the spirit of the present disclosure as definedin the appended claims.

The present disclosure is described in some instances with reference tosystem architecture, block diagrams, flowchart illustrations of methods,and computer program products according to various aspects of thedisclosure. It will be understood that each functional block of theblock diagrams and the flowchart illustrations, and combinations offunctional blocks in the block diagrams and flowchart illustrations,respectively, can be implemented by computer program instructions orspecial purpose hardware.

In software embodiments, such software elements may be loaded onto ageneral-purpose computer, special purpose computer, or otherprogrammable data processing apparatus to produce a machine, such thatthe instructions that execute on the computer or other programmable dataprocessing apparatus create means for implementing the functionsspecified in the flowchart block or blocks. These computer programinstructions may also be stored in a computer-readable memory (e.g., anon-transitory computer-readable medium) that can direct a computer orother programmable data-processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablememory produce an article of manufacture including instruction meansthat implement the function specified in the flowchart block or blocks.The computer program instructions may also be loaded onto a computer orother programmable data-processing apparatus to cause a series ofoperational steps to be performed on the computer or other programmableapparatus to produce a computer-implemented process, such that theinstructions that execute on the computer or other programmableapparatus provide steps for implementing the functions specified in theflowchart block or blocks. In an aspect, some or all of the computerprogram instructions may be executed on any remote-hosted applicationframework, for example, by a processor associated with a cloud server.

Accordingly, functional blocks of the block diagrams and flow diagramillustrations support combinations of resources for performing thespecified functions, combinations of steps for performing the specifiedfunctions, and program instruction means for performing the specifiedfunctions. It will also be understood that each functional block of theblock diagrams and flowchart illustrations, and combinations offunctional blocks in the block diagrams and flowchart illustrations, canbe implemented by either special purpose hardware-based computer systemswhich perform the specified functions or steps, or suitable combinationsof special purpose hardware and computer instructions. Further,illustrations of the process flows and the descriptions thereof may makereference to user windows, web pages, websites, web forms, prompts, etcetera. The illustrated steps described herein may comprise in anynumber of configurations including the use of windows, web pages,hypertexts, hyperlinks, web forms, popup windows, prompts, and the like.It should be further appreciated that the multiple steps as illustratedand described may be combined into single web pages and/or windows buthave been expanded for the sake of simplicity. In other cases, stepsillustrated and described as single process steps may be separated intomultiple web pages and/or windows but have been combined for simplicity.

Methodologies herein are described with specific aspects for ease ofexplanation with respect to various embodiments. However, methodologiesembraced under the scope and spirit of the disclosure may vary, toinclude excluding any of the particular aspects described to definebroader or different methods for various use cases or results.

As will be understood, data ingestion, analyses, actions, andcommunication can be performed or caused as described herein usingservers and collective resources, with data transmitted over networks.In this manner, client devices—such as those of entities at risk offraud or parties charged with detecting and preventing fraud—can achievethe benefits of extensive data and intensive processing withoutconsuming the storage, memory, processing power, and bandwidth availableto those devices. This provides superior results that cannot be achievedusing only a local device on behalf of the user, and does not degradethe user experience as would attempting to achieve even a fraction ofthe results achieved based on the disclosures herein.

While aspects of the present disclosure have been particularly shown anddescribed with reference to the examples above, it will be understood bythose skilled in the art that various combinations of the disclosedaspects or additional aspects may be contemplated by the modification ofthe disclosed machines, systems and methods without departing from thespirit and scope of what is disclosed. Such aspects should be understoodto fall within the scope of the present disclosure as determined basedupon the claims and any equivalents thereof.

What is claimed is:
 1. A method, comprising: ingesting fraud datarelated to fraud events, wherein the fraud data includes contextual datadescribing context surrounding the fraud events, wherein the fraud datarespectively associated with each of the fraud events is ingested to anindividual record associated with an entity involved in the respectivefraud event, and wherein the individual record has a record format;ingesting transaction data, wherein the transaction data includes datadescribing transactions and transactional contextual data associatedwith the transactions; determining a plurality of correlations betweenthe fraud data and the transaction data using unsupervised machinelearning of the individual record; analyzing the plurality ofcorrelations using supervised machine learning to identify at least onecausative correlation; receiving real-time transaction data, wherein thereal-time transaction data includes data describing a requestedtransaction and real-time transactional contextual data associated withthe requested transaction; determining whether a fraud correlation matchexists for the requested transaction based on the real-time transactiondata corresponding to at least one of the at least one causativecorrelation; and causing an action to close the real-time transactionassociated with the real-time transaction data based on the fraudcorrelation match, wherein closing the real-time transaction includescausing completion of the real-time transaction when the correlationmatch does not exist, and wherein closing the real-time transactionincludes freezing the real-time transaction when the fraud correlationmatch exists.
 2. The method of claim 1, comprising: providing anotification that the real-time transaction has been frozen.
 3. Themethod of claim 1, comprising: determining a context difference betweenthe fraud data and the contextual data; and determining an action toreconcile the context difference.
 4. The method of claim 1, comprising:preparing at least one of the fraud data and the real-time transactiondata according to the record format.
 5. The method of claim 1, whereinmachine learning identifies one or more fields of the record format tobe populated by the fraud data and the real-time transaction data, andwherein the record format is dynamically updated based on identificationof a new field type by the machine learning.
 6. The method of claim 1,comprising: discarding, using supervised machine learning, at least oneof the plurality of correlations based on the at least one of theplurality of correlations being non-causative.
 7. The method of claim 1,comprising: causing an incentive to be offered to a party associatedwith the requested transaction based on the party completing a behaviorthat eliminates the fraud correlation match.
 8. A system, comprising anon-transitory computer-readable medium storing instructions configuredto effectuate: a data ingestion component configured to ingest frauddata related to fraud events and transaction data related totransactions, wherein the fraud data includes contextual data describingcontext surrounding the fraud events, wherein the transaction dataincludes real-time transaction data, wherein real-time transaction dataamong the transaction data includes data describing a requestedtransaction and transactional contextual data associated with therequested transaction, wherein the fraud data associated with each ofthe fraud events is ingested to an individual record associated with anentity involved in the re iv fraud event, and wherein the individualrecord has a record format; an unsupervised machine learning componentconfigured to determine a plurality of correlations between the frauddata and the transaction data using unsupervised machine learning of theindividual record; a supervised machine learning component configured toanalyze the plurality of correlations using supervised machine learningto identify at least one causative correlation; a correlation componentconfigured to determine whether a fraud correlation match exists for therequested transaction based on the real-time transaction datacorresponding to at least one of the at least one causative correlation;and a user interface configured to provide a notification based on thecorrelation.
 9. The system of claim 8, wherein the correlation componentis configured to cause an action to close the real-time transactionassociated with the real-time transaction data based on the fraudcorrelation match, wherein closing the real-time transaction includescausing completion of the real-time transaction when the fraudcorrelation match does not exist, and wherein closing the real-timetransaction includes freezing the real-time transaction when the fraudcorrelation match exists.
 10. The system of claim 9, wherein theinstructions are further configured to effectuate: a transactionapproval component configured to complete the real-time transaction orfreeze the real-time transaction based on the fraud correlation match.11. The system of claim 8, wherein the instructions are furtherconfigured to effectuate: a data preparation component configured toprepare at least one of the fraud data and the real-time transactiondata according to the record format.
 12. The system of claim 8, whereinthe instructions are further configured to effectuate: a fraud detectiondatabase.
 13. The system of claim 8, wherein the correlation componentis configured to determine a context difference between the fraud dataand the contextual data.
 14. The system of claim 13, wherein thecorrelation component is configured to determine an action to reconcilethe context difference.
 15. A non-transitory computer-readable mediumstoring instructions that when executed by a processor effectuateoperations comprising: ingesting fraud data related to fraud events,wherein the fraud data includes contextual data describing contextsurrounding the fraud events, wherein the fraud data associated witheach of the fraud events is ingested to an individual record associatedwith an entity involved in the respective fraud event, and wherein theindividual record has a record format; ingesting transaction data,wherein the transaction data includes data describing transactions andtransactional contextual data associated with the transactions;determining a plurality of correlations between the fraud data and thetransaction data using unsupervised machine learning of the individualrecord; analyzing the plurality of correlations using supervised machinelearning to identify at least one causative correlation; receivingreal-time transaction data, wherein the real-time transaction dataincludes data describing a requested transaction and real-timetransactional contextual data associated with the requested transaction;determining whether a fraud correlation match exists for the requestedtransaction based on the real-time transaction data corresponding to atleast one of the at least one causative correlation; and causing anaction to close the real-time transaction associated with the real-timetransaction data based on the fraud correlation match, wherein closingthe real-time transaction includes causing completion of the real-timetransaction when the fraud correlation match does not exist, and whereinclosing the real-time transaction includes freezing the real-timetransaction when the fraud correlation match exists.
 16. Thenon-transitory computer-readable medium of claim 15, wherein theinstructions when executed effectuate operations comprising: providing anotification that the real-time transaction has been frozen.
 17. Thenon-transitory computer-readable medium of claim 15, wherein theinstructions when executed effectuate operations comprising: determininga context difference between the fraud data and the contextual data. 18.The non-transitory computer-readable medium of claim 17, wherein theinstructions when executed effectuate operations comprising: determiningan action to reconcile the context difference.
 19. The non-transitorycomputer-readable medium of claim 15, wherein machine learningidentifies one or more fields of the record format to be populated bythe fraud data and the real-time transaction data.
 20. Thenon-transitory computer-readable medium of claim 19, wherein the recordformat is dynamically updated based on identification of a new fieldtype by the machine learning.